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Abstract 

It is well known that n bits of entropy are necessary and sufficient to perfectly encrypt n 
bits (one-time pad). Even if we allow the encryption to be approximate, the amount of entropy 
needed doesn't asymptotically change. However, this is not the case when we are encrypting 
quantum bits. For the perfect encryption of n quantum bits, 2n bits of entropy are necessary 
and sufficient (quantum one-time pad), but for approximate encryption one asymptotically needs 
only n bits of entropy. In this paper, we provide the optimal trade-off between the approximation 
measure e and the amount of classical entropy used in the encryption of single quantum bits. 
Then, we consider n-qubit encryption schemes which are a composition of independent single- 
qubit ones and provide the optimal schemes both in the 2- and the oo-norm. Moreover, we 
provide a counterexample to show that the encryption scheme of Ambainis-Smith [3] based on 
small-bias sets does not work in the oo-norm. 



I Introduction 

Secure transmission of information is a subject that has been studied extensively. In this model, 
Alice wants to securely transmit a message to Bob using a secret key that they both share, in 
such a way that any eavesdropper gets absolutely no information about the message sent. In the 
classical world, Shannon [111 IT2] has shown that for the perfect encryption of n classical bits, it is 
necessary and sufficient to use n bits of classical entropy (one-time pad). By performing a bitwise 
XOR between the n-bit message and the n-bit secret key, the view of any eavesdropper that has no 
knowledge of the key is just a uniformly random n-bit string. Ambainis, Mosca, Tapp and de Wolf 
[2] showed that 2n classical bits of entropy are necessary and sufficient for the transmission of n 
quantum bits. 

Let us briefly sketch how one can perfectly encrypt a quantum bit. Let p be the state of an 
arbitrary qubit and let /, X, Y, Z be the four Pauli matrices. Then, by using two bits of classical 
entropy we can uniformly pick one of the four matrices and apply it to our qubit. The state of the 
qubit after the encryption is 

£{p) = \{p + XpX + YpY + Z P Z) 

It's easy to verify that for all states p, £{p) = ^1 and hence the view of the eavesdropper is the 
completely mixed state, i.e. she gets no information about the encrypted state p. The scheme 
easily generalizes to n-qubit states by using 2n classical bits of entropy. 



The entropy needed for the perfect encryption of quantum states is two times what is needed 
for the perfect encryption of classical bits. Interestingly, this is no longer true, when we look at 
approximate encryption. Let p G C dxd be the state of a (logd)-qubit message, {Uk £ C dxd \k 6 [iV]} 
be a set of N unitary operations acting on logd qubits and V = {w±, . . . ,wn} be a distribution 
on [N]. Imagine the encryption scheme, where Alice picks a unitary with probability Wk and 
applies it to the message. The ciphertext can be written as 



ke[N] 



and the entropy of the scheme is defined as the Shannon entropy H(T>). 

Definition 1 The map £ is a (e, H)- approximate encryption scheme for the co-norm, if the entropy 
of the scheme is H and for all states p 



< 



d' 



Similarly, the map £ is a (e, H)- approximate encryption scheme for the 2-norm, if the entropy of 
the scheme is H and for all states p 



£{p) 



< 



Vd' 



Hayden, Leung, Shor and Winter .5, found an (e,n + o(n))-approximate encryption scheme for 
n qubits. Specifically, they showed that an encryption scheme that applies a unitary on p picked 
uniformly from a random set of unitaries of size 2 n+0 (™) achieves e-approximation. Ambainis and 
Smith [2] derandomized this construction using small-bias sets and constructed deterministically a 
set of 2 n+ °( ra ) unitaries that achieves an (e, n + o(n) )-approximation for the 2-norm. 

On the other hand, it is not hard to see that for the classical case, one needs at least n— log(l— I) 
bits of entropy for an e-approximation scheme. Hence, the entropy needed for the approximate 
encryption of classical and quantum states is asymptotically equal. 

In this paper, we start by investigating the approximate encryption of single qubits and find 
the optimal trade-off between the approximation measure e and the amount of classical entropy H, 
i.e. we calculate the least amount of classical entropy which is necessary and sufficient to achieve 
an e-approximation. Our proof is constructive in the sense that for any given e we describe the 
encryption scheme that achieves the optimal H and vice versa. The following theorem holds both 
for the oo- and 2-norm. Note the weights in the distributions are in decreasing order. 



Theorem 1 Let £(p) be the optimal (e,H)- approximate encryption scheme for a qubit. Then, 

1. The encryption is of the form £(p) = wp + xXpX + yYpY + zZpZ . 

2. For any fixed e, the optimal distribution T> ( and hence the minimum entropy H ) is: 

(i) e<l/6 : P = {i + |,i + |,i + |,i-|}, 

(ii) 1/6 < e < 0.287 : V = {2e, \ - e, \ - e, 0}, 
(Hi) e> 0.287 : V = {\ + ^,\ -§,± - §, ± - §}. 



2 



In Section [H] we find the optimal Pauli encryption scheme for a qubit and in Section ITTT1 we show 
that Pauli encryption schemes are no worse than general encryption schemes. 

Next, in Section ITVl we consider n-qubit encryption schemes which are a composition of inde- 
pendent single-qubit schemes that each use entropy H. In general, such questions are not easy 
to tackle, since they hinge on notoriously hard questions on the additivity of quantum channels. 
However, in this case we only consider unitary operations and hence we can use a result of King 
[5] in order to find the optimal schemes. 

Theorem 2 Let P be the single-qubit Pauli encryption scheme, which achieves the optimal approx- 
imation e for the given entropy H . Then, the optimal n-qubit independent encryption scheme R(p) 
is the same for both the 2- and the oo-norm and has the following properties: 

1. R{p) = P® n (p). 

2. — !pr|| 2 < \fn-^tj2 + ■ 

3. \\R(p)- 

The above bounds are tight and hence for any encryption scheme that acts independently on each 
qubit, 2n — o{n) bits of entropy are necessary for approximate encryption. 

Finally, in Section^we discuss non-independent n-qubit encryption schemes. In particular, we 
are interested in the Ambainis-Smith small-bias set based scheme. In they found a (e, n + o{n))- 
approximate encryption scheme for the 2-norm. Their scheme uses a deterministically constructed 
small-bias set of 2n-bit strings of size 2 n+ °( ra ) , where each string corresponds to a unitary which is a 
tensor product of n Pauli matrices. The message is encrypted by picking uniformly a unitary from 
this set. One of the open questions in their paper is whether this scheme is also an (e,n + o{n))- 
approximate encryption scheme for the oo-norm. We resolve this by finding an example of an 
asymptotically optimal small-bias set, for which the encryption scheme of Ambainis-Smith fails in 
the oo-norm. However, it is possible that an (e,n + o(n) )-approximate encryption scheme for the 
oo-norm can be constructed in a different way, for example by using a small-bias set with some 
extra properties. 



II The Optimal Pauli Encryption Scheme 

The input state to our encryption scheme is a quantum bit which can be described by a density 
matrix p, i.e. a hermitian matrix with unit trace 

p =l(I + r x X + r y Y + r z Z), (1) 

where r = (r x ,r y ,r z ) is a unit vector, and the four Pauli matrices are 



I = 



" 1 


" 


, x = 


"01" 


, Y = 


" -i ' 


, z = 


" 1 





1 


1 


i 


-1 



Let us denote +1 eigenvectors of the matrices X, Y and Z by \x+) , \y+) and \z+). 

A Pauli encryption scheme for single qubits is described by a probability distribution on the 
four Pauli matrices, i.e. by a probability vector V = (w, x, y, z), such that the encryption of a qubit 
p is given by 

£ixyz(p) =wp + xXpX + yYpY + zZpZ. (2) 
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Without loss of generality, we can assume the weights {w, x, y, z] obey w>z>x>y>0. 
The reason for this is that these four unitaries are freely interchangeable by picking a suitable 
p = Up'W. If the original qubit p was encoded by £{p), with weights {w,x,y,z}, we can achieve 
the same encoding E'(p') on the transformed qubit p', just with {w,x,y, z] permuted. 

The classical entropy used by the encryption scheme is the entropy of the probability distribu- 
tion, i.e. H({pi}) = -YjiPi lo £2 Pi = -wlogw - xlogx - ylogy - z log z. 

To test how good the encryption scheme is, we want to know how much the encrypted state 
differs from the completely mixed state in the 2- and the operator norm. For any d-dimensional 
matrix A, the 2- and operator norm are related to the eigenvalues of the matrix, namely 

d 

\\ A \\l = Plloo = max|A fc | 

k=l 

Thus, for the operator norm we need to examine the maximum of the absolute value of the eigen- 
values of 

I{p)=£ixyz{p)-\i. 

Note, that since the matrix I{p) has trace equal to 0, the two eigenvalues are of the form ±A and 
hence, the 2-norm is maximized simultaneously with the operator norm. 

II. 1 The maximum eigenvalue of I(p) 

After applying the channel © to the density matrix described by (^Q), we obtain 

Sixyz(p) = \ (I + r' x X + r' y Y + r' z Z) , 

where the new parameters can be easily determined from @ using the anticommutation relations 
for Pauli matrices. 

(w + x - z - y)r x = (2(w + x) - l)r x , 
(w + y — z — x)r y = (2(u> + y) — l)r y , 
(w + z — x — y)r z = (2(u> + z) — l)r z . 

This shows that the parameters r x ,r y and r z shrink according to the above relations. The factors 
can be negative, but because have w > z > x > y and w + z + x + y = l, with a little work one 
can verify that the magnitude of the shrinking factor \2{w + z) — 1| in front of r z is the largest of 
the three. 

Using the geometric description Q of p, we can express the matrix I(p) as 

I{p) = £{p) -\l=\ [r' x X + r' y Y + r' z Z) . 
Its eigenvalues are then simply 

Our goal is to find the maximum eigenvalue |A/( p )| over all states p as a function of the probability 
distribution D = (w, z, x, y) and then pick the distribution that minimizes it. Already knowing that 
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the shrinking factor in front of r z is the largest, we can maximize |A/( p )| 
with r = (0, 0, 1). This gives us r 1 = (0, 0, 2{w + z) — 1), and 



i(l + |f |) by picking p 



max p |A/( p )| 



W + z-\ 



(3) 



Note that w and z are the two largest weights and therefore we always have w + z > ^ . 

We thank the referees for pointing out a geometric view of the Pauli encoding in [S], which 
simplified the proof in this section. 



II. 2 The optimal trade-off between approximation and entropy 

In Section [II, 11 we found an upper bound on the maximum eigenvalue of I(p) as a function of the 
probability distribution used by the Pauli encryption scheme. Note also that equation (j3J) shows 
that for a perfect encryption the only possible scheme is the one that uses a uniform distribution 
over the four Pauli matrices. 

The natural question is to find the optimal Pauli encryption scheme when we can only use 
a fixed amount H of classical entropy. Turning the question around, we fix the approximation 
parameter e and calculate the necessary entropy to achieve it. 

Let us fix e = max p \X\ = w+z— 1/2. In addition, the condition w > z implies that l/4+e/2 > z. 
Our goal is to minimize the classical entropy needed to achieve approximation e: 

H(e) = min-D (—w log w — z log z — x log x — y log y) . 

Keeping x, y and e fixed, the entropy as a function of z is concave, with a maximum at z = w. 
Because z < w, the entropy decreases with decreasing z. Specifically, if z > x + y, one can decrease 
the entropy by setting z = x + y (and increasing w accordingly, to keep e fixed) . Without loss of 
generality, one can then assume that z < x + y for the optimal T>. Now, let us minimize the entropy 
as a function of x. It is concave in x, with a maximum at x = y = (1 — w — z)/2 and possible 
minima at the endpoints. Because x > y, we want to pick x as large as possible. Because x < z 
and z < x + y, this results in x = z. The weights that minimize the entropy for a fixed e thus are 
(as a function of z) 

w = 1/2 + e — z, x = z, y = 1/2 — e — z. 
To find the optimal H(e), one thus needs to minimize 

H(e, z) = - Q + e - z\ log Q + e - zj - 2z logz - Q - e - z \ log Q - e - 

with respect to z, remembering the constraints collected so far (w > z > x > y > 0, x + y > z): 

1 e 1 e 

i-« > z- (5) 

We perform this minimization in Appendix A.l and conclude that for e < 1/6, picking the three 
larger weights to be equal is the entropy- minimizing strategy. For 1/6 < e < eo, picking only three 
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unitaries, with two of the lower weights equal is the best choice. For eo < e < 1/2, it is optimal to 
pick the three smaller weights to be equal. 

Turning the argument around - given entropy H, what is the optimal Pauli encryption scheme? 
There is a unique way to pick the probability distribution with the given entropy that minimizes 
the parameter e. 



Note that the weights are in descending order and that the approximation e is given by the sum of 
the largest two weights minus \. Also, one should not expect the optimal distribution parameters 
to be continuous at H§. These two ways of picking the weights come from different regions in 
the parameter space {w, z, x, y}, and the choice of the optimal distribution is simply a numerical 
minimum of these two functions. The point Hq (or equivalently eo) does not have an obvious special 
meaning. 

Ill The optimality of Pauli Encryption Schemes 

In this section we give an elementary constructive proof that the Pauli encryption schemes are 
no worse than any general encryption scheme. For any encryption scheme £(p) = ^2kPkUkpUl 
with arbitrary unitaries and weights, we give a Pauli encryption scheme with weights {w, z, x, y} 
that has lower entropy, and is no worse than £{p). We show this by finding a density matrix po, 
for which the maximum eigenvalue of I(po) is the same as in (J3J), which is the worst case for the 
newly found Pauli scheme. Hence, the Pauli encryption scheme of section [n] is optimal amongst all 
possible encryption schemes. 

After completion of this work, we learned of an alternative proof of optimality of Pauli encryp- 
tion for a single qubit by Bouda and Ziman 0]. They investigated perfect encryption of a subspace 
of the Bloch sphere, while we are interested in approximate encryption of the whole Bloch sphere. 
Their proof uses the Kraus representation of the quantum channel, showing that the representation 
of a channel using orthogonal matrices requires the least amount of entropy. We also thank the 
anonymous referee for providing us with another shorter proof. Using the fact that every channel 
can be expressed also as a Pauli channel ([Hj])> we can utilize a clever trick by Nielsen ((§]) to prove 
that the weights of this Pauli channel majorize the weights of the original channel. Knowing that 
the entropy is concave, we can conclude that the Pauli realization of the channel requires the least 
amount of entropy. The details of this proof are given in Appendix A. 2. Let us now continue with 
our proof. 

Let T be an encryption scheme with distribution {w\,W2, ■ ■ ■ , wn} over N unitaries U/~, where 
the weights are in decreasing order. We parametrize the unitaries as £/& = e iak e l ^ >k ^ nk ' (T \ where 
nk = ( x kiUki z k) an d o = (X,Y,Z). The phases are not important in our analysis and hence, 
we denote the parametrization of Uk only as U(4>k,nk)- 

We have the following three cases: 

Case 1: wi + w 2 - 1/2 < 

We show that the entropy H of the encryption scheme T is greater or equal to 2, and for H = 2, 
we already know a perfect encoding with four unitaries and w/- = 1/4. It is clear, that if w\ < 1/4 





V = (1- 2z,z,z,0) 




(6) 
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then the entropy is larger than 2. Let us assume that w\ > 1/4. From the concavity of the Shannon 
entropy, we know that the entropy of a distribution that contains two weights (wk, w{) with Wk > wi 
decreases if we change them into (wk + A, wi — A). 

Hence we can decrease the entropy of the initial distribution {w±, w^, ■ ■ ■ , wn} by increasing the 
weight W2 to make it equal to w' 2 = 1/2 — w\ and decreasing some of the smaller weights. We can 
further decrease the entropy by making the middle weights all equal, i.e {w%, w' 2 , uu 2 , . . . ,w' 2 ,wn}. 
Picking u>\ = x fully determines the distribution, giving w' 2 = 1/2— x and wn = (4—N) /2+(N—3)x. 
The constraints 1/2 > w\ > W2 > wn > give us: 

N - 3 N - 4 

> x > —— -. (7) 



2{N -2) ~ ~ 2(N-3)' 

The entropy as a function of x is concave (the second derivative is negative) and therefore, 
we look for the minimum entropy at the endpoints, given in ((7J). These endpoints correspond to 
choosing the distribution as {^1,^2, • • • ,1^2} with W2 = (1 — w%)/(N — 1). The entropy of such 
distributions clS 8l function of N is 

N — 3 

H(N) = - Wl log wi — (N — l)w 2 log w 2 = - 2(jV _ 2) log(iV - 3) + 1 + log(iV - 2) . 

It's easy to see that this function is a monotone, growing function of N with a minimum for 
-£f(4) = 2. We conclude that any encryption scheme with n > 5 unitaries and w\ + u>2 — 1/2 < 
uses entropy H > 2 and hence is worse than the perfect encryption scheme with four unitaries. 



Case 2: w\ + u>2 — 1/2 > and J2k=3 w k — 2^2- 

We show that there exists a Pauli encryption scheme that is no worse than T and uses less 
entropy. Let P be the Pauli scheme that uses the distribution {w\,W2, W2, w' 3 }. This is possible by 
the constraint ^2^=3 w k — ^ w 2 and from the concavity of the entropy, P uses less entropy. We also 
know from equation @ that for the encryption scheme P 

maXplA/^) 

Without loss of generality, when encoding an input density matrix p with the set of unitaries 

U(4>2,n2),U((j)3,n 3 ), . . . ,U{(j) n ,n n ) 

one can equivalently analyze the encoding of the density matrix p' = lllpUi with a related set of 
unitaries: 

I) U(4>2,n 2 ), U(4>' 3 ,n 3 ), . . . ,U(4>' n ,n n ). 

The approximation parameter e of the encoding scheme is basis independent, it is now convenient 
to pick a basis in which the unitaries are of the form 

I, Z a , 2 , (z 3 Z + x 3 X + y 3 Y) a3 (z n Z + x n X + y n Y) an , 

where x\ + y\ + z\ = 1, and Z a2 denotes a rotation about the z-axis, namely Z a2 = e~ lOL2Z = 
(cos 0:2)1 — i(sin a%)Z. 



1 

wi + W2 - - 
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Let us now check how well the \z+) state is encoded. 

p = \z+) {z+\ = 



1 




Note that since p is an eigenstate of Z, it commutes with Z a2 . After some algebraic manipulations 
we have: 



Hp) = £(p) 

where 



1, 



-I 



(Wl + W 2 -\) + (Efc=3 W kA k ) 
(Efc=3 W k B k) 



(Efc=3 w kBk)* 
(wx + W 2 -\) - (Efc=3 w k A k) 



2 2-2 

cos a k + z k sin a k , 



(cos a k + iz k sin a k ) {x k -iy k )i sin a k . 



The eigenvalues of I{p) are now 

(wi + W 2 ~ ^ + WkAi 



+ 



k =3 



We know that wi + w 2 — 1/2 > and > 0. Thus we can bound the eigenvalues as 

r 2 

2 



A /(p) > ( wi + w 2 



with wi and W2 the two largest weights. The equality is achieved if we pick our unitaries with 
z k = and cosa^ = 0, which imply A k = B k = 0. 

This is the same result as in equation (j3J) and hence no matter how we pick the unitaries, the 
encryption cannot be better than in the Pauli Encryption scheme. 

Case 3: wi + w 2 — 1/2 > and Yl k =3 w k — 2w 2 . 

Since wi + w 2 > 1/2, we conclude that wi > 1/4 > ^(w 2 + Y^ k= 3 w k ) and so, it's possible to con- 
sider the Pauli scheme P that uses the distribution { wi , | (w 2 + Yl k =3 w k),^ {w 2 + Yl k =3 w k), § (^2 + 
Yl k =3 w k)}- Moreover, the constraint Yl k =3 w k > 2^2 implies that \{w 2 + YL k =3 w k) > w 2 and 
hence from the concavity of the entropy, P uses less entropy than T. From equation |2J we know 
that for the encryption scheme P 



max p |A /(p) | 



I n I 

wi + -(w 2 + /^w k )-- 



k =3 



(8) 



In what follows, we calculate how well the states \z+) , \x+) and \y+) are encrypted by T and prove 
that at least one of them is encoded worse than in the Pauli scheme P. 
We pick the unitaries of T to be 



I, Z a , 2 , (z 3 Z + x 3 X + V3Y) a3 (z n Z + x n X + y n Y) 
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Similarly to Case 2, the \z+) state is encoded no better than with 

A 2 > wi + w 2 + ^ w fc (cos 2 a fc + sin 2 a k cos 2 - - J , 
V fc=3 / 

where we named Zk = cos (3k , Xfc = sin ,% cos 7^ and y/j = sin (5k sin 7^ Let us now check how well 
the \x+) state is encoded. 



UkPxUl 



1 1 
1 1 j 

1 e~ 2ia2 

1 + C k D k - iE k 
D k + iE k 1 - C k 



where Dk = (— 1 + 2 cos 2 a& + 2 sin 2 ct^ sin 2 cos 2 7&) and Ck, Ek are functions of ak, (3k, Jk which 
do not affect the bounds. The encoding of p x becomes 

I(p x ) = £(p x ) - I = wilpxl + w 2 Z a2 p x Z a2 + ^2 WkUkpxUj - I 



fe>3 

Y,k>3 w k c k F-iG 
F + iG -Y,k>3 w kCk 



where F = w\ — W2 + 2w2 cos 2 02 + Sfe>3 ^fc-^fc an d G = W2 sin 2a + X^fc>3 w kEk- We are ready to 
bound the eigenvalue: 



a' 



\fc>3 / 

i I to 1 — u>2 + 2^2 cos 2 «2 + /2 w k{~ 1 + 2 cos 2 afc + 2 sin 2 a*. sin 2 cos 2 7^) J 

\ k>3 / 

\ 2 

+ ^ cos 2 a fc + ^ u> fc sin 2 a fc sin 2 (3 k cos 2 7 fc - - . 

k>3 k=3 J 



= \ W\ + W2 COS Oi2 



Using the same type of computation as above, we encode the \y+) state and obtain a bound for 
the eigenvalues of I (p y ) = £{p y ) — 1/2: 

( n A 2 

A 2 > I w\ + w 2 cos 2 q 2 + ^2 w k cos2 a k + /2 Wk sin 2 a k sin 2 /3 fc sin 2 7^ - - J . 

\ fc>3 fc=3 J 
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Summing the three inequalities of the eigenvalues, we obtain that 

\^x\ + I Ay I + |A Z | > 

> 

which implies that at least one of the three A is greater or equal to (JHJ). This means the Pauli 
encryption scheme P is no worse than T, while using less entropy. 

This concludes the proof that Pauli Encryption schemes are no worse than general encryption 
schemes. This also concludes the proof of Theorem 1. 



3wi + W2 + w k + (2 w k cos 2 a k ) 



k=3 
n 



k>2 



3W1 +W2 + 



Wk 



k=3 



IV iV-qubit independent encryption schemes 

In this section we consider n-qubit encryption schemes which are composed of independent single- 
qubit schemes, each using H amount of classical entropy 1 . By independent we mean that the 
encryption has the form R(p) = (R\ ® . . . ® R n )(p). 

Theorem 2 Let P be the single-qubit Pauli encryption scheme, which achieves the optimal approx- 
imation e for the given entropy H . Then, the optimal n-qubit independent encryption scheme R(p) 
is the same for both the 2- and the oo-norm and has the following properties: 

1. R(p) = P® n (p). 

2. \\R(p) — t|t|| 2 < \fn^2 + 2"/? • 



3. 2 n lloo — n 2 n 2' 



o(ne) 



Proof. We first employ a result by King jf)] to show that product states are the worst encoded 
states for independent encryption schemes. King proved that the p-norm of a product of unital 
channels 2 is multiplicative, i.e. for p > 1, 

m a x\\R(p)\\ p = f[ (max \\Ri&)\\ P ) ■ (9) 
P j=1 V & / 

This shows that the norm is maximized by a product state p = £i (g) • • • (8) £ n > where ^ is 

the state of the i-th. qubit. In our encryption schemes we measure the quality of the approximation 
by the maximum of the norm — I/2 n || p , for p = 2 and p = oo. Let be the eigenvalues of 

For clarity of exposition, we assume that for each qubit we use the same amount of classical entropy. All the 
results go through in the more general case where for each qubit k we use entropy H^. 

2 A quantum channel $ is unital if it preserves unity, i.e. $(1) = I. The encryption schemes we consider here are 
unital. The p-norm of a channel R is the maximum of ||-R(p)|| p over all input states p. Note that the multiplicativity 
of the p- norms, and hence the additivity of the capacities of non-unital channels is a main open question |13|. 
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R(p); then, the eigenvalues of R(p) — I/2 n are (A& — l/2 n ) and we have 



R(p) 



I 



E 

k=l 



max 

k 



1 



2" 

£ 

k=l 



X k 



+ 



1 

2^ 



11*0011 



(10) 



(11) 



It is clear, that the norm of R(p) — 1/2™ is maximized when the norm of R{p) is maximized and 
therefore, for any independent encryption scheme the worst encoded state is a product state. 

Hence, in order to find the optimal independent encryption scheme, one needs to find the scheme 
that encrypts product states optimally. The encryption of a product state P(£i (8> • • • <8> £ n ) = 
Pi(£i) <S> • • • ® Rn{£,n) is also a product state and the eigenvalues of P(£i <8> • • • <8> £n) are simply 
products of the eigenvalues of Rk(£k)- Without loss of generality, let us now encrypt a state £i®P2...n 
using R = R\ (8 P 2 ... n . The eigenvalues of the single-qubit encryption can be expressed as 

/zi^ = (1 ± ei)/2 and the eigenvalues of R2...n{p2...n) as f^ =1 ... 2»-i = (1 + 8k)/2 n . Hence, the 



eigenvalues and 2-norm of P(£i <8> ^2.. 



I/2 n are 



#(6 ® P2.. 



I 

2" 



2 n_1 2 

E E X lk 

k=l i=l 



1 8 h ±e x {l + 8 k ) 



(12) 



E 

it=i 



2 2r 



The last expression is a growing function of ei and therefore, the optimal n-qubit encryption 
scheme has to be optimal (i.e. Pauli) on the first qubit, giving the smallest possible upper bound 
on e\. After going through this procedure for all qubits, we see that the optimal encryption scheme 
for product states in the 2-norm is the Pauli scheme P® n . It is straightforward to obtain the 
same statement for the oo-norm using (|12j) . This concludes the proof that the optimal n-qubit 
independent encryption scheme for both the 2- and the operator norm is the Pauli scheme P® n (p). 

We now prove tight upper bounds for the quality of the approximation of the Pauli encryption 
scheme. For the 2-norm, equation @ and induction imply 

max||P^(p)|| 2 = (max||P(0|| 2 

Let us pick £ to be the worst encoded single-qubit state for P. The eigenvalues of P(£) are (l±e)/2 
and therefore: 



\P® n {p)\\ 2 <max||P®"(p)|| 



From equation (|1U|) . we bound the 2-norm of P® n {p) — I/2 n as 




1 + e 1 



2\ 2 



p® n (p) - — 



|P 0n (p)||^- — 
" '112 2 n 



< 



1 + e' 



For the oo-norm, multiplicativity of norms © implies 



\P® n (p)\\ < max||P® n (p)| 

I MOO p II I 



™ax|TOII« 



ey/n o(e-y/n) 
2^2 + 2™/ 2 ' 



1 + e 
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and therefore equation Qll|) gives us 



P® n (p) 



P®»(p)| 



< 



1 + e 



ne o(ne) 
h — — -. 

2 n 2 71 



Note that both bounds are tight and achieved for product states. □ 
Since the bounds in Theorem 2 are tight, any good independent encryption scheme requires that 
the approximation parameter for each single qubit is e = 0{^=) for the 2-norm and e = O(-) for 
the oo-norm. Hence, from equation (|15j) we conclude that the amount of entropy needed for the 
encryption of n-qubit states is 2n — o(n). 



V General iV-qubit Encryption Schemes 

In the previous section, we found the optimal way to independently compose single-qubit encryption 
schemes in order to encrypt n-qubit states. However, one can do better with encryption schemes 
that do not act independently on each qubit. For example, the encryption scheme in 5 uniformly 
picks an n-qubit unitary from a set of 0(n2 n ) random ones and hence it is not an independent 
encoding. Note also that it only uses n + logn + O(l) bits of entropy. 

Ambainis and Smith ([3]) managed to derandomize the encryption scheme of by explicitly 
describing the set of unitaries. In particular, they use a set of 2n-bit strings, where each string 
corresponds to a product of n Pauli matrices (the bits {2j — l,2j} define the Pauli matrix for the 
j-th qubit). They prove that if the set of strings is a small-bias set of size 0(n2 n ), then picking a 
random unitary from this set gives an (e, n + 2 log n + 2 log |) encryption scheme in the 2-norm. 

A 5-biased set is a set of k-h\t strings such that for all possible subsets of bits, the probability 
over the set that the parity of the subset is 0, is [I — 6, 5 + 8]- Naor and Naor [7j gave the first such 
construction with size polynomial in k and 1/5. Alon, Goldreich, Hastad and Peralta 1 showed a 
lower bound on the size of a <5-biased set 



Since we are interested in encryption schemes which use less than 2n bits of entropy, we only consider 
5-biased sets of size o(2 2n ) and hence 5 = uj{-^). Ambainis and Smith showed the following: 

There exists a function 5(n) = w(^rr) such that any 0(<5(n))-biased set gives rise to a 
good encryption scheme in the 2-norm and moreover it has size N = o(2 2n ). 

In fact, their result holds for any 5{n) = a ^ 2 n/2 > where a(n) is any slowly growing function of n (e.g. 
log n). Note, that there are explicit constructions of such small-bias sets of size N = poly(a(n), n)2 n . 
However, it was an open question whether the same holds for the case of oo-norm. Here, we resolve 
this question by providing a counterexample. We show that 

For any 5(n) = uo{-^) there exists a 0(5(n) )-biased set of size N = o(2 2n ) which is not 
good in the oo-norm. 

Let us, first, compute the norm ||i?(p) — ^rjl^, where R is a Pauli encryption scheme and p = 
\z+)® n (z+\® n . The density matrix of this state in the z-basis is 

, /I .. 



P 



+ z 







V 
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The unitaries in the encryption scheme can be written as U k = 
For each unitary U k we define a string \ k £ {Oj 1}™ with x\ z 
U k G {A, Y}. Note that XZJ = YZY = -Z and ZZZ = IZl 



g> • • • ® i/* with t/f e {i, y, z} . 

if t/f G {I,Z}, and Xi fc = 1 if 
Z, and hence 



1 ^ 

A S 

fe=i 



-\\x\z 



I+(-l 



The density matrix of the encrypted state is again diagonal in the z-basis and therefore, its eigen- 
values are simply its diagonal elements. The size of each eigenvalue \ x is exactly the number of 
unitaries U k with the same corresponding string x divided by N. Thus, 



R(p) 



2" 



max 

x 



A, 



1 

2™ 



max 

x 



'#o/ unitaries with the same x) 



1 

2" 



It is easy to see that starting from any small-bias set we can create a set which is asymptotically 
as good as the initial one and it has the extra property that it contains at least a <5(n) fraction of 
the unitaries with x = 0. We start with a 0(5(n))-biased set of size N and add 5(n)N unitaries 
with x = to the initial set. The new set has size N' = O(N) and bias 0(5(n)), and therefore, it 
is asymptotically as good as the original set. Hence 









= max 

oo X 



t(#o/ unitaries with the same x) 



1 

2" 



> 0{5{n)) 



1 

2" 



which means that the encryption scheme R is not good in the oo-norm. In other words, we show 
that although a ^-biased set encryption scheme is always good for the 2-norm, this is not the case 
for the oo-norm. However, it is still conceivable that one might be able to use 5-biased sets with 
some extra properties in order to achieve good encryption for the oo-norm. 
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A Appendix 

A.l Minimization of the entropy H(e,z) 

Here, we provide the details for the minimization of the function H(e, z) with respect to z that 
concludes the proof of the optimal trade-off between approximation and entropy. Recall that 

H(e, z) = - Q + e - zj log Q + e - zj - 2z log z - Q - e - zj log Q - e - z 

and the constraints are 

1 e 1 e . . 

i-e > z. (14) 

The entropy as a function of z is again a concave function and hence, in order to find the minimum 
we investigate the endpoints of the allowed interval for z. There are two cases: 
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Case 1: for e < 1/6, the constraint (JIJ) is tighter. The left endpoint is {| + | , \ + | , \ + | , \ — -y}, 



"'««> - : >(T + ^)l"A(T+o)-('7-^Vo g f7-^ 



giving 



The right endpoint is {\ + f , \ - § , | - § , ± - §}, giving 



At e = 0, H\ = H2 = 2. At e = 1/6, < -£^2- The derivative of H2 — Hi is always negative, 

d(H 2 - Hi) _ 3 (1 - 2e) (1 - 66) 

de 2 S (1 + 2e) (1 + 6e) " ' 

so we conclude that Hi is the best choice for e < 1/6. At e = 1/6, Hi achieves the value of log 2 3, 
which means only three equally weighed unitaries are used. 

Case 2: for e > 1/6, the constraint © is tighter, changing the left endpoint ofztoz = l/2— e. This 
sets y = 0, which is the regime of using only three unitaries, i.e. the distribution is {2e, \ — e, \ — e, 0} 
and the entropy 

H 3 (e) = -2elog2e-2^-eJ log 
The second derivative of H3 — H2 is always negative, 

d 2 

(H 3 - H 2 ) = -2 [e(l - 2e)(l + 6e) ln^ 1 , 

so the function H3 — H2 is concave. That allows for only two points where H% = H 2 . One of them 
is at e = 1/2, the other is found numerically to be eo ~ 0.287 with Hq 1.41. We conclude that 
for 1/6 < e < eo, the choice of -H3 is optimal, whereas for eo < e < 1/2, the best choice is H2. 

A. 2 Another proof of optimality of Pauli Encryption Schemes 

It is known ^U] that every unital channel £ with weights {wk} and unitaries is equivalent to a 
Pauli channel with some other weights {x m }, that is 

£{p) = J2 w * U kP u l ( 15 ) 

k 

£(p) = xip + X2XpX + x^YpY + x^ZpZ. (16) 

This channel is an e-randomizing map. We will prove that the Pauli realization of it has smaller 
entropy. 
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Suppose we act with this channel on one half of the Bell state I = 73 (1 00) + |11». The 
first definition of £ will give us 

p' = £(p) =Y, w k (U k ® I) I ^ + )(^ + | (U k ® I) f = w k \A) (^1 , (17) 
fe fe 

where |^) = (£//% (g> I) | are pure states. On the other hand, the second realization of £ (with 
Pauli operations) acting on one half of the state | will transform it into a state with density 
matrix diagonal in the Bell basis, p' = diag(xi, X2, £3, 24). 

In Nielsen showed that when a density matrix can be expressed as p' = Ylk w k Wk) {fk\i 
where \(fk) are normalized states, the (ordered) vector of probabilities Wk is majorized by the vector 
of eigenvalues of p' , that is (w^) -< A(p'). 

In our case, the vector of eigenvalues of p' is (x m ), and the majorization (wk) ~< (x m ) means 
Ysm=l Wm — Em=i x m for any n > 1. Note that if the length of {w}.) is greater than four, we pad 
the vector (x m ) by zero entries to make the lengths of the vectors equal. 

The entropy function is concave. Because the vector of weights for the Pauli realization (x^) 
majorizes the vector of weights for the original realization (wk), the Pauli realization of the channel 
has smaller entropy, S({xk}) < S({wk})- This means the Pauli channel is the optimal (entropy- 
wise) realization of any unital channel. 
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